Increase of phpMyAdmin scans
PMA (or "phpMyAdmin") is a well-known MySQL front-end written in PHP that "brings MySQL to the web" as stated on the web site[1]. The tool is very popular amongst web developers because it helps to maintain databases just by using a web browser. This also means that the front-end might be publicly exposed! It is a common finding in many penetration tests to find an old PMA interface left by an admin.
Even if PMA restricts access with a login page, there is a lack of protection against brute-force attacks. One of my favourite tool to perform such attack is Patator[2].
$ patator http_fuzz url=http://www.acme.org/pma/index.php \ method=POST \ body="pma_username=admin&;pma_password=COMBO00&server=1&target=index.php&lang=en&token= \ 0=dictionary.txt \ before_urls=http://www.acme.org/pma/index.php \ accept_cookie=1 \ follow=1 \ -x ignore:fgrep="Cannot log in to the MySQL server"
Today, I detected an increasing amount of attempts to find PMA interfaces against my honeypots. Here is an extract of the tested URLs:
/mysql/admin/ /mysql/dbadmin/ /mysql/sqlmanager/ /mysql/mysqlmanager/ /phpmyadmin/ /phpMyadmin/ /phpMyAdmin/ /phpmyAdmin/ /phpmyadmin2/ /phpmyadmin3/ /phpmyadmin4/ /2phpmyadmin/ /phpmy/ /phppma/ /myadmin/ /phpmyadmin/ /PMA/ /dbadmin/ /pma/ /db/phpmyadmin/ /db/phpMyAdmin/ /sqlmanager/ /mysqlmanager/ /php-myadmin/ /phpmy-admin/ /mysqladmin/ /mysql-admin/ /admin/phpmyadmin/ /admin/phpMyAdmin/ /admin/sysadmin/ /admin/sqladmin/ /admin/db/ /admin/web/ /admin/pMA/ /mysql/pma/ /mysql/pMA/ /sql/phpmanager/ /sql/php-myadmin/ /sql/phpmy-admin/ /sql/myadmin/ /sql/webadmin/ /sql/sqlweb/ /sql/websql/ /sql/webdb/ /sql/sqladmin/ /sql/sql-admin/ /sql/phpmyadmin2/ /sql/phpMyAdmin2/ /sql/phpMyAdmin/ /db/myadmin/ /db/webadmin/ /db/websql/ /db/dbadmin/ /db/db-admin/ /db/phpmyadmin3/ /db/phpMyAdmin3/ /db/phpMyAdmin-3/ /administrator/phpmyadmin/ /administrator/phpMyAdmin/ /administrator/pma/ /administrator/PMA/ /phpMyAdmin2/ /phpMyAdmin3/ /phpMyAdmin4/ /phpMyAdmin-3/ /php-my-admin/ /PMA2011/ /PMA2012/ /PMA2013/ /PMA2014/ /PMA2015/ /PMA2016/ /PMA2017/ /PMA2018/ /pma2011/ /pma2012/ /pma2013/ /pma2014/ /pma2015/ /pma2016/ /pma2017/ /pma2018/ /phpmyadmin2011/ /phpmyadmin2012/ /phpmyadmin2013/ /phpmyadmin2014/ /phpmyadmin2015/ /phpmyadmin2016/ /phpmyadmin2017/ /phpmyadmin2018/ /phpmanager/
Also, older releases of phpMyAdmin have multiple known vulnerabilities[3]. Databases are critical components in most modern web applications. If there is a lack of protection, it should be possible to access other (internal? confidential?) databases from a compromised phpMyAdmin. My advice is to simply NOT expose these administration tools to the wild Internet and, if it is required, to not rely on the default protection mechanisms. A simple extra protection layer is to restrict access to internal hosts or VPNs with an IP access-list. An example with Apache:
<Directory "/pma"> order deny,allow deny from all allow from 10.0.0.1 allow from 10.0.0.2 </Directory>
[1] https://www.phpmyadmin.net/
[2] https://github.com/lanjelot/patator
[3] https://www.cvedetails.com/vulnerability-list/vendor_id-784/cvssscoremin-7/cvssscoremax-7.99/Phpmyadmin.html
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key
Comments